13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73

Analysis

max time kernel
146s
max time network
161s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe
Size

506KB
MD5

b153ea5996f9a64f1c1da4bb7298680e
SHA1

cec8c0b3853836265a11d2cdb1cda41c4a0ac79c
SHA256

13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73
SHA512

1420231956da8ca362569f2fbcdc86d3e03741701b9a38a100392d427f3d4bf37a1077e32b252651feaa9dbf7b82c351431986527f7ca49560e36f5fac0d593b

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

83208120.exentutrf.exentutrf.exe

pid process

1560 83208120.exe
1660 ntutrf.exe
1032 ntutrf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1560	83208120.exe
1660	ntutrf.exe
1032	ntutrf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ntutrf.exe

pid	process
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe
1660	ntutrf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

83208120.exentutrf.exentutrf.exe

description pid process

Token: SeDebugPrivilege 1560 83208120.exe
Token: SeDebugPrivilege 1660 ntutrf.exe
Token: SeDebugPrivilege 1032 ntutrf.exe

description	pid	process
Token: SeDebugPrivilege	1560	83208120.exe
Token: SeDebugPrivilege	1660	ntutrf.exe
Token: SeDebugPrivilege	1032	ntutrf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exetaskeng.exe

description	pid	process	target process
PID 2044 wrote to memory of 1560	2044	13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe	83208120.exe
PID 2044 wrote to memory of 1560	2044	13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe	83208120.exe
PID 2044 wrote to memory of 1560	2044	13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe	83208120.exe
PID 436 wrote to memory of 1660	436	taskeng.exe	ntutrf.exe
PID 436 wrote to memory of 1660	436	taskeng.exe	ntutrf.exe
PID 436 wrote to memory of 1660	436	taskeng.exe	ntutrf.exe
PID 436 wrote to memory of 1032	436	taskeng.exe	ntutrf.exe
PID 436 wrote to memory of 1032	436	taskeng.exe	ntutrf.exe
PID 436 wrote to memory of 1032	436	taskeng.exe	ntutrf.exe

C:\Users\Admin\AppData\Local\Temp\13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe
"C:\Users\Admin\AppData\Local\Temp\13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\7105377\83208120.exe
"C:\Users\Admin\AppData\Local\Temp\7105377\83208120.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\taskeng.exe
taskeng.exe {F515AFBB-7090-4BD5-9F21-1F33E859EFC4} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1
Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
920641eb1436161f314def91af3a9e96

SHA1
24b8a10ec4bac7a9d0e7d1e24da316e7a8714d95

SHA256
90f41a303e226ecf60a6c63132c70a6d09d245475f03d7ea97349d5ec562a33a

SHA512
192bae7550d66033d96c17332d9fae4050368f3abc8054073323cff45cd0eb06c8fd90124d47a28304f7d9fcfa3b30d4dc51767d44dd11be8b4d8b414e968010

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
Filesize
242B

MD5
762edd65ed02f7f35cd408874e7c222d

SHA1
809575d743141808533c3e90356af90c10cdc583

SHA256
4ee63b2bf5d36f498df7056559a4e75c6020abc4444883d577ae7caa5cc3db4f

SHA512
3231fa0f12ff1ad583e815e2ee841b7d61c55c7e7481259a92a8eb11fb2c13d0b183bf89c4ce5b6289c7cf0a5e41be388d5b116b0b0d9c8466ad309351afaf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7105377\83208120.exe
Filesize
899KB

MD5
b1170755eb3405b9c0bc87b8ac283c2c

SHA1
549fc9a313cdecb5e1d5046fc7f1595360210618

SHA256
0e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7

SHA512
16495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7105377\83208120.exe
Filesize
899KB

MD5
b1170755eb3405b9c0bc87b8ac283c2c

SHA1
549fc9a313cdecb5e1d5046fc7f1595360210618

SHA256
0e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7

SHA512
16495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33

Download Submit
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
Filesize
899KB

MD5
b1170755eb3405b9c0bc87b8ac283c2c

SHA1
549fc9a313cdecb5e1d5046fc7f1595360210618

SHA256
0e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7

SHA512
16495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33

Download Submit
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
Filesize
899KB

MD5
b1170755eb3405b9c0bc87b8ac283c2c

SHA1
549fc9a313cdecb5e1d5046fc7f1595360210618

SHA256
0e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7

SHA512
16495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33

Download Submit
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe
Filesize
899KB

MD5
b1170755eb3405b9c0bc87b8ac283c2c

SHA1
549fc9a313cdecb5e1d5046fc7f1595360210618

SHA256
0e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7

SHA512
16495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33

Download Submit
memory/1032-66-0x0000000000000000-mapping.dmp

Download
memory/1560-61-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/1560-60-0x0000000000010000-0x00000000000FA000-memory.dmp

Filesize
936KB

Download
memory/1560-57-0x0000000000000000-mapping.dmp

Download
memory/1660-62-0x0000000000000000-mapping.dmp

Download
memory/1660-65-0x0000000001260000-0x000000000134A000-memory.dmp

Filesize
936KB

Download
memory/2044-54-0x0000000000BC0000-0x0000000000C48000-memory.dmp

Filesize
544KB

Download
memory/2044-56-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/2044-55-0x000000001A930000-0x000000001AA16000-memory.dmp

Filesize
920KB

Download